Malicious FedEx Postal Receipts Hide Cobra Trojan

Experts from a couple of security firms have identified a spam campaign that relies on fake FedEx notifications to distribute a piece of malware.

“Dear Customer, Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you. To receive a parcel, please, go to the nearest our office and show this postal receipt,” the emails read.

The so-called postal receipt, a file called “Postal-Receipt.exe,” bears a document icon to make it less suspicious. Furthermore, when it’s executed, a document reader application is launched.

However, in the background, the malicious element injects code into svchost.exe and contacts its remote command and control server in an attempt to download the payload.

This particular malware is detected by GFI Software solutions as Trojan.Win32.Generic.pak!cobra and TR/Inject.exab by Avira.

According to GFI researcher Chris Boyd, the infection files from these attacks have been linked to ransomware.